z-push behind Basic authentication

I know, it’s more a question on the ActiveSync Client than on z-push, but I hope I get an answer anyway: is it possible to hide z-push behind a Basic authentication?

Currently, I use z-push with Zarafa in my Intranet only. I’m not too happy exposing it directly to the Internet, so I’d like to put a reverse Proxy ahead of z-push, but this requires Basic authentication.

Do you belive I can make this work? Is it known that ActiveSync Clients must Support Basic autentication, or is ActiveSync designed to never be behind another authentication?

That’s indeed what I see, too. My ActiveSync Client Software (MS Office, Nine) does not have a field for pre-authentication to the AS server. So I have to assume, pre-authentication is simply not part of ActiveSync. Probably, my only chance is to force requesting a client certificate. I have to look in the docs if this can be done…

I still don’t understand why you are nervous about exposing z-push outside though.

If it goes via SSL (that is port 443) and requires authentication to log in (i.e. the Kopano username and passoword) the worse that can happen is that someone finds out the password of that particular kopano user?

But still that would be one user only, not the entire company.

And plus users should be careful with their passwords!

It isn’t dissimilar from Office 365 or whatever… they too have to allow for this…

for a matter of fact ActiveSync clients already use Basic Auth to login to the server. That is how authentication is supposed to work. If it makes you feel better, you could add an additional layer of basic auth in the webserver, but this will only work if this uses the same credentials as kopano (which can be done if you use ldap for login).

For an additional layer of security ssl client certificates could be used. the downside of this is that not all clients do support that.

I run my Zarafa server behind a authenticating reverse proxy, as I want to reduce the attack surface of my company. For that reason, I’d like to protect z-push too. Client certs seem to be a fair chance.